Vulnerabilities in a brave new world of the internet of things

Richard Moulds, VP Strategy at Thales e-Security examines the internet of things, how it affects peoples' daily lives and the vulnerabilities that it introduces

Since the start of the year there has been a flurry of discussion about the Internet of Things, or IoT, some even argue it is the big technology concept set to dominate in 2014. And it is a complex concept indeed – although the devices themselves in their various shapes and sizes are interesting enough, it’s the way they combine to create massive, entangled networks of devices that talk to each other that is truly fascinating; devices that are set to become our eyes, ears and finger tips that really makes IoT revolutionary.

Our imagination immediately goes to the home with the prospect of these devices allowing us to monitor everything from family members taking their medicine, to sleeping patterns, room temperature, fridge stocking levels and plants in need of watering –but this misses the bigger picture. Think of IoT more as an army than as a slave or a scout. Just like people in an army, each device performs its own role, coordinated from the centre, serving a greater effort. Whether to deliver a smarter city, smarter grid, or smarter transportation it’s the system as a whole we should be focused on – the interplay between the things. These smart systems may ultimately become some of the most complex systems on the planet.

IDC expects the adoption of IoT to leap forward over the coming year and quite rightly identifies that this will require a great focus on the ‘plumbing’ of the IoT and the establishment of partnerships across what is now a disparate ecosystem. What is more worrying is that IDC forecasts only a low level of investment in one of the most important areas – security. This is one of the reasons why we need to look beyond the home and recognise the potential of these large scale systems to create havoc and allocate resources accordingly.

The scale, complexity and geographic spread of IoT networks – coupled with the sheer volume of data that makes them tick – combine to make them highly vulnerable. The devices themselves may have little physical protection, the networks through which they communicate cannot always be trusted – and the data centres and tertiary systems which support the devices are a prime target for cyber criminals in search of sensitive data or even to take control. Any glitch or breach could have consequences threatening not only businesses but national infrastructure and even human lives.

The potential of the IoT depends on establishing trust – trust that can be automated and scaled to massive dimensions. We need to be able to trust the integrity of the devices themselves – are they doing what we ask and when they provide information can we believe what they say? We need to be able to trust that they can communicate in secure ways and that rogue devices can be spotted and excluded. And we need to be able to trust the back-end systems that control the network, collect and analyse the data and issue instructions. We hear a lot about the security of specific technologies such as cloud computing and ‘big data analytics’ but, in the context of IoT, these are merely means to an end and security concerns transcend them both.

So how can we ensure we keep on top of the rapidly unfolding explosion of devices before we lose control? The key to any successful strategy to secure connected devices is to address security from the outset and that becomes immediately apparent with IoT. The sheer scale of the IoT means that, the devices only really get ‘touched’ twice – once when we install them and then again when we remove them. For the period in between, which may be decades, everything must be done remotely – upgrades, resets and refreshes, and be based on technologies that are proven and that can go the distance.

The good news is that technologies capable of securing trust on the scale of the IoT already exist. One such technology is Public Key Infrastructure (PKI), which has been used by the banking and finance sector for years to secure communications. PKI-based systems encrypt data and use digital credentials to identify web sites, devices and users to determine access to sensitive systems and protect data from prying eyes. Each ‘digital certificate’ is tied to a pair of cryptographic keys – a public key, and a private one – which must be kept secret and only used by the device or user to which it belongs. Failure to correctly manage these keys damages the foundations for the entire security model, potentially exposing networks and information to cybercriminals.

As we stand on the cusp of the IoT’s explosion into a system that will no doubt be instrumental to how we operate, communicate and live, it is vital that we build safety into these networks now. The IoT offers up unprecedented levels of speed, insight, communication and efficiency if set up and secured in a manner we can trust. Let’s hope that IDC is wrong when they say that there will be no heat on security, until there is a fire.